My raw speculation:
1) It is missed because the virus.cfg is using the
"PRESCAN ON" switch (the default, I believe) and the declude.exe
application does not decode the MIME or other coding as flexibly as a mail
client would, or makes an uninformed decision about what is an object worth
scanning.
ANSWER: use PRESCAN OFF instead. This will
incur more CPU time as the selected antivirus scanner(s) will be scanning
all objects.
2) For F-Prot specifically, the /server switch is
not being used and therefore F-Prot is not doing the message format
decoding. If Declude did a perfect job, this setting would be
irrelevant.
ANSWER: use the /server switch in your SCANFILE
definition. This would cause more CPU time on the few messages that
appear as nested message encoding; it is intended for scanning servers with
multiple mailbox formats and nested messages.
I follow my own advice on these two points and do
not have a problem with F-Prot under Declude EVA missing known
viruses.
Andrew 8)
I reported this issue quite some time ago,
when Scott was still running the show, and never got a satisfactory
answer. You can scan the raw d*.smd file with f-prot and it will
detect the virus, but run it through Declude Virus, and the virus goes
though undetected. After pestering and prodding for several days, I
finally gave up on getting a response that made sense. But it must
have something to do with the way Declude Virus is stripping off the mime
encapsulation before calling f-prot to scan the message.
I have copied this to the Declude Virus list,
as well, since it really belongs there rather than on the IMail
list.
Bill
----- Original Message -----
Sent: Thursday, February 02, 2006
1:15 PM
Subject: RE: [IMail Forum]
Realistic virus threat?
I've had F-Prot miss this virus on the mail server (being
called from Declude). But it's caught coming to my desktop, with
the same virus scanner. Is anyone else seeing
this?
Mike
At 02:25 PM 2/2/2006, you wrote:
I believe F-Prot calls it W32/[EMAIL PROTECTED]
- From: Stephen Guluk [mailto:[EMAIL PROTECTED]]
- Sent: Thursday, February 02, 2006 2:19 PM
- To: Imail_Forum@list.ipswitch.com
- Subject: [IMail Forum] Realistic virus
threat?
- Off topic but still related to email...
- Had a couple clients that called concerned about this virus that
is said to open and do it's damage tomorrow:
- [EMAIL PROTECTED]
- Win32.Nyxem.e
- I run F-prot on my mail server and their list of virus
definitions shows nothing pertaining to this virus name. I wrote
them but expect that they are sleeping since they are in
Iceland.
- Anyone else running F-prot and know any more info on it this is
a real threat?
- Regards,
- Steve Guluk
- SGDesign
- (949) 661-9333
- ICQ:
7230769